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About this Guide 
About Qualys 


About this Guide 


Thank you for your interest in Qualys Endpoint Detection and Response (EDR). 


Qualys EDR expands the capabilities of the Qualys Cloud Platform to deliver threat 
hunting and remediation response. EDR detects suspicious activity, confirms the presence 
of known and unknown malware, and provides remediation response for your assets. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access support information at www.qualys.com/support/ 


Get Started 
Steps to start investigating EDR incidents and events 


Get Started 


Endpoint Detection and Response (EDR) is an evolved superset of the IOC app. EDR 
expands the capabilities of the Qualys Cloud Platform to deliver threat hunting and 
remediation response. EDR detects suspicious activity, confirms the presence of known 
and unknown malware, and provides remediation response for your assets. 


EDR unifies different context vectors like asset discovery, rich normalized software 
inventory, end-of-life visibility, vulnerabilities and exploits, misconfiguration, in-depth 
endpoint telemetry, and network reachability with a powerful backend to correlate it all 
for accurate assessment, detection and response all, in a single, cloud-based app. 


For more information on the Endpoint Detection and Response app, contact your 
Technical Account Manager (TAM) or Qualys Support. 


We'll help you get started quickly! 


Steps to start investigating EDR incidents and events 


Discover and Monitor = Respond and Prevent 


Continuously discover and dynamically monitor IT etect, Analyze, and Prio Use the multi-fold response capabilities to remediate 
Assets with their attack surface, across your hybrid 
environment to automatically enable EDR on them. 


Discover and Monitor 


Install lightweight agents in minutes on your IT assets. These can be installed on your on- 
premise systems, dynamic cloud environments and mobile endpoints. Cloud Agent (CA) 
are centrally managed by the cloud agent platform and are self-updating (no reboot 
needed). 


Enable EDR in a CA Configuration Profile and tell us which EDR artifacts you want to 
transmit to the Qualys Cloud Platform. 


For more information, see Download and Configure Cloud Agent for EDR. 
Detect and Investigate 


View and investigate your EDR incidents and events in one central location. You'll see all 
incidents detected across all of your assets. Search all of your incidents and events in a 
matter of seconds. 


For more information, see EDR Investigation. 
Respond and Prevent 


Remediate the suspicious and malicious events from a central location. A remediation 
action option will be displayed against the malicious or suspicious event. 


For more information, see Remediation Action. 


We'll describe these steps in more detail in the sections that follow. 


Download and Configure Cloud Agent for EDR 
Download Cloud Agent for EDR 


Download and Configure Cloud Agent for EDR 


You'll need to install a Cloud Agent that's been activated for EDR on each asset you want 
to monitor for suspicious activity. 


If you are new customer, you must first download and install the default EDR key. For 
more information, see Download Cloud Agent for EDR. 


If you are an existing customer, you can either: 


- Select the existing activation key and upgrade the associated agents for EDR. For more 
information, see Upgrade Existing Agents. 


- Install new Cloud Agent and activate the agent for EDR. For more information see, Install 
Cloud Agent. 


Note: You must upgrade to Cloud Agent version 4.1 and above to utilize all the EDR 
functionality. 


Download Cloud Agent for EDR 


From the EDR welcome page, click Download Cloud Agent. 
| Find IT endpoints and enable EDR 


Download Cloud Agent 


Supported OS Ha 


Manage [IH Visit Asset Inventory 
© Tags BL] Dashboard 


Click on Windows.exe from the Download and Install Cloud Agent page. 


< Download and Install Cloud Agent 


Download and Install Cloud Agent | 


Select the OS and download the agent installer to your local machine. Run the installer on each host from an 
elevated command prompt 


Windows 


-exe (x86 64) 


Download and Configure Cloud Agent for EDR 
Configure Agents for EDR 


From the Installation Instructions page, download the agent installer and copy it to the 
host machine. 


Copy and run the Installation Command on the Host. 


Installation Instructions 


Download 
an exe (x86_64) aprire 


Ver.: 4.0.0.364 


STANDARD AZURE SECURITY CENTER 


System Requirements 


Steps required for installing and running Cloud Agent 


Local administrator privileges on the host 


Host must reach Qualys Cloud Platform (or Qualys Private Cloud Platform) over HTTPS port 443 


Supported OS versions | Got Proxy? | Need Troubleshooting ? 


Installation Steps 


Download the agent installer and copy it to the host machine. 


Run Installation Command on the host. Use group policy or a system management tool to distribute. 


Installation Command View Activation Ke 


After you have successfully downloaded and installed the default installation key. You can 
install more activation keys. For more information, see Install Cloud Agent. 


Configure Agents for EDR 


From the EDR welcome page, click Configure Agents for EDR. 


Find IT endpoints and enable EDR 


‘ee 


* 


Configure Agents for EDR 


Supported os BB 


Manage [IB Visit Asset Inventory 
Tags El Dashboard 


On the Configure Agents for EDR window, you can: 
- Select the existing activation key and upgrade the associated agents for EDR. 
- Install new Cloud Agent and activate the agent for EDR. 


Download and Configure Cloud Agent for EDR 
Configure Agents for EDR 


Upgrade Existing Agents 


From the Configure Agents for EDR window, select one or multiple Activation Key and 
click Upgrade. 


< Configure Agents for EDR 


Upgrade Agents with Activation Keys 


EDR requires the activation of a purpose-built engine for detecting missing patches for Cloud Agents. Select Activation keys which 
you want to upgrade for EDR. All the agents associated with those keys will be upgraded. 


i-i Manage Cloud Agent Keys 1-48 of 48 


ACTIVATION KEY MODULES AGENTS 
= WinSerR2 t Unlimited Key : 
[7| ^ 59a01133-7fed-aada-8 Gre 
.. EDRnew ££ Unlimited Key : 
[7| ^ 00c88ab2-a4cb-4285-b Gres 
c. cache-warm1 £t Unlimited Key - 
[1 c3ag1914-dc24-401b-b50: oa 13 


uis | 


On the confirmation window, click Upgrade to initiate the process. All the agents 
associated with the activation key will be upgraded and enabled for EDR. 


Upgrade Activation keys 


All agents associated with selected keys will be upgraded to EDR 


EDR requires the activation of a purpose-built engine for detecting missing patches. 
While this engine is extremely lightweight and efficient, activating Cloud Agents for 
EDR will require a 20MB download and 100MB of free space on each host for these 
components. 


Install Cloud Agent 


From the Configure Agents for EDR window, click Manage Cloud Agent Keys. You will be 
re-directed to the Cloud Agent app. 


€ Configure Agents for EDR 


Upgrade Agents with Activation Keys 


EDR requires the activation of a purpose-built engine for detecting missing patches for Cloud Agents. Select Activation keys which 
you want to upgrade for EDR. All the agents associated with those keys will be upgraded. 


[] Actions (0) Y | Manage Cloud Agent Keys 1-48 of 48 


Click Agent Management » Activation Keys » New Key. Give it a title and provision for the 


EDR application and click Generate. 


New Activation Key 


Create a new activation key 


An activation key Is used to Install agents. This provides a way to group agents and better manage your account. By default 


this key is unlimited - it allows you to add any number of agd;ss at any time. 


Tum help tips: On | OF — X 


Title Activation key 


(no tags selected) 


Provision Key for these applications 


Asset Inventory 

Activations managed by Al 
co Bug onsec Management 
o 9995 Activations Remaining 


m Endpoint Detection and Response 
a 9992 Activations Remaining 


Secure Config Assessment 
10000 Activations Remaining 


Select | Create 


Patch Management 
10000 Activations Remain 


Policy Compliance 
1000 Activations Remainir 


File Integrity Monitoring 
98 Activations Remaining 


Unlimited Key | Generate 


New Activation Key 


New activation key generated successfully 


Tum help tips: On| Of — x 


Give your key a name and add tags to easily find agents installed using this key. We'll associate the tags to the agent hosts. 


Activation Key 


Key Type Unlimited key 


Installation Requirements 
BH Windows x86-32/64 Microsoft Windows Glient EOE 
EE (exe) Microsoft Windows Server WEITEM UN US 


REO Har EWIErprise Um, 

CentOS 
Lia Fedora —— 
(rom) x64 OpenSUSE install instructions 


Linux 
ARM64 
A (rpm) 


SUSE Enterprise Linux 


Amazon Linux 


Oracle Enterprise Linux 


Red Hat Enterprise Linux 
entOs 


Amazon Linux 


Debian 
Ubuntu 


Install instructions | 


Install instructions. 


Download and Configure Cloud Agent for EDR 
Configure Agents for EDR 


AS you can see you can 
provision the same key for 
any of the other applications 
in your account. 


Click on Install Instructions 
against the Windows (.exe) 
option. 


Want to do this step later? 
No problem, just exit the 
wizard. When you're ready, 
return to your activation 
keys list, select the key you 
want to use, then Install 
Agent from the Quick 
Actions menu. 


New Activation Key 


You are ready to install the agent. 


Current agent version :| 4.0.0.364 


Deploying in Azure Cloud 


Windows Installation Requirements 
* Click here for the list of supported operation system versions. 
* To install the agent you must have local administrator privileges on your host. 
443. 
* Do you have a proxy? Learn more 
Steps to Install the Windows Agent 


Download the agent installer (file size 15.4 MB) 
File will be saved to your downloads area, as defined by your local system. 


management tool. Click here to troubleshoot. 


Tum help tips: On | Off 


* Your host must be able to reach the Qualys Cloud Platform or the Qualys Private Cloud Platform over HTTPS port 


Copy QualysCloudAgent.exe to the host you want to monitor and run command, or use group policy or a systems 


cose B s 


Download and Configure Cloud Agent for EDR 
Activate your agents for EDR 


Review the installation 
requirements and click 
Download.exe. 


x 


You'll run the installer on 
each host from an elevated 
command prompt, or usea 
systems management tool 
or Windows group policy. 


Your agents should start 
connecting to our cloud 
platform. 


Activate your agents for EDR 


Cloud Agent v 


Dashboard Agent Management 


| 
@ Agent Management | Agents | Activation Keys 


Saved Searches + 


Search.. 


[ Install New Agent 


Agent Host os Version 


g QBAS2 I Microsoft Win... 41.0.16 


View Asset Details 


Add Tags 
[ WINR2-QBAS5 | Assign Config Profile 
10.115.121.21C Activate Agent 


Deactivate Agent 


Uninstall Agent. 
oO DESKTOP-1PUG.| Activate for FIM or EDR or PM or SA 
192.168.134.181, I SyeqenvateAgentior FIN or EDR or PM or SA 
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On the Agents tab choose 
your agent and “Activate for 
FIM or EDR or PM or SA” 
from the Quick Actions 
menu. (Bulk activation is 
supported using the Actions 
menu). 


Download and Configure Cloud Agent for EDR 
Enable EDR in a configuration profile 


Enable EDR in a configuration profile 


Go to the "Configuration Profiles" tab, create a new profile or edit an existing one. Walk 
through the profile creation wizard. When you get to the EDR tab: 


Configuration Profile Edit (1) Toggle Enable EDR 
module for this profile to 
Edit Mode Endpoint Detection and Response ON This is required for EDR 
General Info Enable EDR module for this profile €D data collection to occur. 
poao Configuration 
ERE These settings define operational setting for the agent (2) Configure what EDR 
Assign Hosts Seana — — artifacts are transmitted to 
VM Scan interval Payload size to transmit to platform the Qualys Cloud Platform. 
PC Scan Interval Payload threshold time* T secs(30 - 1800) Def aults are provided as 
Maximum time between EDR payloads sent to the server. Is : 
Gee shown, so this step is 
Maximum disk for EDR Data* x . B 
ias "Tus ma inn e — optional. You can configure 
Cu m values for max event log 
size, payload threshold time, 
È and maximum disk usage 
for EDR data. Toggle a 
Cancel Save 


configuration setting to ON 
before you using it. You 
must set at least one 
configuration setting to ON 
if you have enabled EDR for 
this profile. 


Configure settings constitute the time lapse after which the following types of EDR events 
are transmitted to the Qualys Cloud Platform: 


Max event log size EDR events are transmitted to the Qualys Cloud platform 
when the EDR event log file reaches the maximum 
specified size. You can specify a file size between 10 KB and 
10240 KB. Default is 1024 KB. This value can be lower if the 
Payload threshold time is lower. 


Payload threshold time EDR events are transmitted to the Qualys Cloud platform 
when the EDR payload threshold time is hit, ie., the 
specified seconds elapse after the previous payload was 
sent to the Qualys cloud Platform. You can specify a 
threshold between 30 seconds and 1800 seconds. Default is 
60 seconds. This value is lower the better to prevent data 
loss on busy systems. 


Maximum disk usage This is the maximum size on disk available to a Cloud 

for EDR Data Agent for caching EDR events to be sent to the Qualys 
Cloud Platform for processing. If the maximum size is 
reached, the oldest events are deleted in order to create 
space for newly generated events. You can specify a disk 
usage size between 100 MB and 2048 MB. Default is 1024 
MB. 
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Download and Configure Cloud Agent for EDR 
Setting up asset tags (optional) 


Setting up asset tags (optional) 


Setting up asset tags using Global IT Asset Inventory helps you to associate EDR assets 
with a CA configuration profile enabled for EDR. You can avoid assigning configurations 
manually to each asset by adding asset tags to the required CA configuration profiles. 


How to create tags 
From the EDR Welcome page, select Manage Tags. 


Find IT endpoints and enable EDR 


Ca 


v 


Configure Agents for EDR 


Supported OS i 


Manage [IB Visit Asset Inventory 
© Tags El] Dashboard 


Click Create Tags to add tags for your EDR assets. You can use a single tag or multiple tags 
to mirror your production configuration. 


Global IT Asset Inventory HOME DASHBOARD INVENTORY 


Not interested in tags? No problem. You can manually assign individual assets to your 
profiles. 
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Download and Configure Cloud Agent for EDR 
Setting up asset tags (optional) 


Additional Reference 


For information on Cloud Agent Platform Matrix, see Cloud Agent Platform Availability 
Matrix. 


What's next? 


EDR starts collecting data and analyzing your systems right away! Return to the EDR app 
where you can check out the incidents detected by EDR and system events and details 
captured by the cloud agent. 
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EDR Investigation 
How to Search 


EDR Investigation 


How to Search 


Our searching and filtering capabilities give you the ability to quickly find all about your 
incidents, events and assets all in one place using Qualys Advanced Search. You can 
search for incidents and assets in the respective tabs in the similar way. 


You'll notice the Search box while viewing dynamic lists of events, incidents, and assets. 
This is where you'll enter your search query. 


Endpoint Detection and Response DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES CONFIGURATION 2 


Hunting current view MEE 


TPE Y Filters v 


— j 

Total Events i 
: — z dm —— — =e 

m m TU 2 " m " 30Apr zmay My Nay amay May IEEE! 

{ 

1-50 of 33112 H 

i 


m PEBKTOENRAOM, «— NETTE 


e eh 


tart typing and we'll show you the properties (fields) you can search like asset .localIPv4, 
le.path, etc. and scroll down to see all the fields. 


rho 


DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES CONFIGURATION Fi 


Endpoint Detection and Response 


Hunting 


pl 4r Start typing here Last 30 Days v |3 


33 1 K file creatingapplication. 
. file fullpsth 


Total Events 


View All Tokens 


file nonpefile 
file numofpages 


flle path 


file pitaa 
file pif embeddediile 


i 
E 
: 
u 
i 
i 
i 
H 


network aas " E " i : , 5 
PNEU, cessa. Ni Registry key HKLMISYSTEM\ContralSet001 Services \sharedAccess\Epoch? is written bysvehostexe — ———— —— Wi peskTOPSQQUDA. - No Action Recent F 


Select the one you're interested in. Check out the Syntax help for the selected field to the 
right to help with creating your query. 


Enter the value you want to match. For this field you select from a list of predefined 
values. Then hit Enter. 


Endpoint Detection and Response DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES CONFIGURATION 


33.1K ' k.: 


Total Events Use a string value £i to find events with a network protocol name youre looking for [TCP cr UDP). 


24.2K 
Tak 
bed afewsecondsago — Hi Registry key HKLM\SYSTEM\ControlSet001 \Services\SharedAccess\Epoch2 is written by svchost.exe Bi pEskTOP-8QQLO74 - 
238k No Action Required 
s pI re rt ER UR IZ Wn EN 


rm ge RA RA PSP PR Sa 


TIT erg: 


That's it! Your matches will appear in the list your viewing. Filters on the left help you drill 
down to objects of interest. 
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EDR Investigation 
Hunting events 


Tip - Use your queries to create dashboard widgets on the Dashboards tab. 


Endpoint Detection and Response + DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES ^ CONFIGURATION ni 


M network.protocol:TCP e | Last 30 Days v i 
155 | 
Total Events 
-" —— HH T —Mum — mm m — —98. = 
py? 18 Ap wage 20A» 2201 24 Ap ET Em soap zmay amay Emay m away 12May 

Y Fites v 1-50of 155 a 1 

i i 

E E DETECTED v LT ASSET SOORE DETAILS REMEDIATION ACTION i 

{ 

E = 14 minutes ago 3* Network connection 10.115.27.54 : 3128 is established by svchost.exe EE DESKTOP-/580300 [; No Action Required i 
14921 PM 10115324182 

i 

15 minutes ago 35 Network connection 10.115.27.54 : 3128 is established by svchost.exe E? DESKTOP-7550300 pfo eam, | 

14821 PM 10115124132. i 

A e e e e M S esr 


Tip - Go to the EDR online help for details on search language and sample queries. 


Hunting events 

The Hunting tab, has the following two sub tabs: 

- Current View: This tab lists all the events that are active on the assets. 

- Historic View: This tab lists all the events registered and executed on the asset. 
1) Search for events by event properties 


group events by type 


view event details and asset details. 


) 

2) jump to events that occurred in certain time-frame 
) 
) 


Endpoint Detection and Response ~ DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES 20 
Hunting Current view BETEAN 
x Last30 Days v 
Total Events gall © 
asep 10 Sep 128g 14Sep 16 Sep TaSep 20526 pre 24Sep 26 Sep 28 Sep 20 Sep 204 zoa 50d 304 
Ww «Ed a 1-s0of 403 E B » 
file 146 e x: A "n REMEDIATION ACTION 
m © = DETECTED v VPE EVENT ASSET qj) score Tats —__RENEDIATION ACTON 
network 36 ^ 
EE 818K 6 days ago 49 Malicious process chrome.exe is executed by chrome.exe EE qat-w7-64-4.qbasl.. f7 test-mal C omm) 
5:31:38 PM = testtype 
EVENT ACTION 6 days ago E Malicious file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe is created EE qat-w7-64-4.qbasl... pz test-mal e [e 
created 12 42552 PM - testtype ( J 
established 30 
Ean j 6 days ago 4? Malicious process C:\Program Files (x86)\Google\Chrome\Application\chrome.exe is execute... EE qat-w7-64-4.qbasl.. p}  test-mal 
42534PM ES Testtype 
rename $ 
Unai] GEES 6 days ago E) Suspicious file C:\Users\EDR_Host\Downloads\EDR-Testing-Script-master\EDR-Testing-Scri... BE TP1IN20-Rishabh p — Shelma | s 
um nest 2 fom, Keene v) 
SCORE 6 days ago & Malicious mutex \BaseNamedObjects\SkyDrive Mutex {8EAEBBD8-2370-4716-9C12-1C4BA2_ EE TPIIN2C-Rishabh... py) _ test-mal 
fo oy 3:06:15 PM. - test-type dicono) | 
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EDR Investigation 
Investigate incidents 


Investigate incidents 


Investigate incidents for active threats by Malware name and malware family name. Here 
all the incidents detected on an asset are listed here. Know the OS and host on which the 
incident was detected, the events detected, and other information at quick glance.. 


|. Endpoint Detection and Response ASHOAFD INCIDENTS HUNTING ASSETS RESPONSES CONFIGURATION zou 
Incidents 
a Last30Days v = 
361 score DETECTED INCIDENTS 
Total Incidenis | 279 89 95 0 103 
pc E = E c Contains Process — | Contains File Contains Network | Contains Registry — | Contains Mutex 
MALWARE FAMILY 1-50 of 361 
28 
S DEED RISK SCORE INCIDENT DESCRIPTION "s HOST a DETECTED EVENTS 
ae 4d rz Fi 
E nui 5 Generic activity found HE meosotw. oescoRax Woo — 7 
> 70558 ve 
4 days ago 35 File 
MALWARE CATEGORY Ju AM [*] verdict change flow: F activity found BÉ Mictosoftwi.. DESKTOP-2KUTVJO ed 
pua a 
testtype 226 4 days ago SI" Fle 
5 icrosoft Wi TOP 2. 
Aen A Sania Generic activity found HE Micwosottwi. DESKTOP2KITVJO — 10. 
4 days ago s Generic activity found EE Microsoft. vesktopacvio — OU 
70509 AM RAEI EE S 1 Event 
4daysago " File 
s found ictosoft Wi m 
JR M Generic activity foun HE Microsoft Wi... DESKTOP2KITVJO Eyen 
4daysago Fle 
» è Generic activity found WE vicrosoftwi.  nESKTOP2KITVJO = 


Look into assets monitored by EDR 


Get up to date views on a selected asset's details, its events and incidents. Using the Quick 
action menu, view the Asset Details. Event Details, and Incident details.. 


Endpoint Detection and Response DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES CONFIGURATION H 


Assets deprecated Assets MATTRESS TS 


6 


Total Assets 


Win10-10C20 EE Microsoft windows 10 Pro 10.0.17. Apr 30,2021 Mar29,2021 — - \Administrator ]ocecea 
10.115.109.87 mem 

TAGS 

Cloud Agent 6 WIN10-98-9 EE Microsoft Windows 10 Pro 10.0.19.. 4.4038 Apr 30, 2021 Mar24,2021 — - Mdministrator ] coco 

LARA RI 2 10.115.98.9 more 
DESKTOPLE view Details EE windows Microsoft Windows 10€. 4.1.0.51 Apr 30,2021 Apr 30, 2021 : Unknown Cloud Agent 

OPERATING SYSTEM Phe! i 

Microsoft Windo. 2 View Events 

Microsoft Windo, 1 DESKTOP EE Microsoft Windows 10 Enterprise. 4473 Apr 30, 2021 Apr 29,2021 - Administrator. Cloud Age 

aA) View incidents 

Microsoft Windo. T nama 

M y DESKTOP-75S0300 HE Microsoft Windows 10 Pro 10019... 4.47.3 Apr 30,2021 Ap23,20032 — - \Administrator Cloud Ag 

Windows Micros. 1 ER CR 
DESKTOP-2KJTVJO EE Microsoft windows 10 Enterprise 4.40.38 Apr 30,2021 Apr 25,2021 B Administrator Cloud Ager} 
10.115.126.122, fe80:0:0:0:8. 

KERN... eee Ear o e Rn e a eel 
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EDR Investigation 
Narrow your results 


Narrow your results 


Once you have your search results you may want to organize them further into logical 
groupings. Choose a group by option on the left side. You'll see the number of events or 
assets per grouping. Click on any grouping to update the search query and view the 
matching incidents or events. 


Endpoint Detection and Response DASHBOARD INCIDENTS HUNTING 


Hunting Current View MISCUIT, 


Search for events... 


213K 


Total Events 


8 Sep 


TYPE = Y Filters v 


file 

mutex 

network 

process an hour ago Mutex \Sessions\2\AppContainerNamedObjects\S-1-15-2-3261124336-967904692-54! 
registry 2:22:32 PM 


an hour ago f Mutex MSessionsV2MAppContainerNamedObjectsVS-1-15-2-1714399563-1326177402-2! 
EVENT ACTION 22232 PM 
created 

established an hour ago E File C:\Program FilesWindowsAppsMMicrosoft.XboxldentityProvider. 12.67.21001.0. x64 
listening 2:22:24 PM 


rename 
hour ago E File C:\Program FilesWindowsAppsMMicrosoft.XboxldentityProvider 12.67.21001.0. x64 


an 
running 
2:22:24 PM 


1 more 
an hour ago E File C:\Program FilesWindowsApps Microsoft. XboxGamingOverlay. 5.420.8043.0. x64. 
SCORE 2:2223 PM 


10 
9 t an hour ago E) File C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_5.420.8043.0_x64. 


2:22:23 PM 


Download your results 


By downloading search results to your local system you can easily manage incidents or 
events outside of the Qualys platform and share them with other users. You can export 
results in multiple formats (CSV, XML, PDF, DOC, PPT, HTML-ZIP, HTML-Web Archive). 
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Remediation Action 


Remediation Action 


You can remediate malicious events detected on the assets using the Quarantine File, 
Delete File, and Kill Process options. Remediation actions can be performed for File, 
Process, Network, and Mutex events from the Hunting and the Event Details page. 


The remediation options are available under the Remediation Action column and Events 
Detail page only for: 


- Events in Active View. 
- Events that score between 2 to 10 


Note: Events that are remediated have the score as 1.. 


Endpoint Detection and Response ~ DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES 20 


Hunting Historic View 


Last30Days v 


8.4K 


2 Sep Asep 650p 8 Sep 10 Sep 125ep 145p 16 Sep 18 Sep 205p 22 Sep 2436p 26 Sep 28 Sep 30 Sep 200 

Tet Vies v 1-50 of 8404 ü z 
n Vd T TPE VENT SEL SCO! TAII REMEDIATION ACTION 
EDS az DEIECIED. # E EVENI L. SCORE DETAIL REMEDIATION ACTION 
network 36 T7 minutesago — E] Suspicious file CAUsers Administrator Downloads Wnalicious-exe downloads. exe is created ‘EE asas Generic - RE E 
process 818K 12:29:58 AM 10115. z Trojan ( gaat ) 

Shours ago E ^ Suspicious file C:\Program Files\prafile\PRG_SUSPICIOUS.exe is created EE sas — Generic e 
EVENT ACTION 5 

7:58:06 PM 10.115. Trojan 
created 123 
established 30 6 hours ago P Malicious process chrome.exe is executed by chrome.exe ES qat-w7-i L test-mal 
listening 6 7:0211 PM - * testtype kaara 
rename 7 Es A 
NS 822K 7 hours ago 4? Malicious process chrome.exe is executed by chrome.exe EE qat-w7-¢ - [s test-mal (hem) zm 

EE 5&3138PM - testtype S ) 

E 8 hours ago E] Malicious file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe is created EE qat-w7-6 z test-mal Careers | Em D 

4:25:52 PM z d testtype 
10 36 
5 atk 10 hours ego f&  Malicicus mutex \Sessions\1\BaseNamedObjects\ZonesCacheCounterMutex is created ES rPuN2C-— ry test-mal 
8 98 3:06:15 PM $ Testtype 

- - 


Use the Filters option to view the malicious events from the list. 


Endpoint Detection and Response * DASHBOARD INCIDENTS ASSETS RESPONSES 


Hunting Current View EAEC CAGA 


c Search for events... Last 30 Days 


450 K [P rites v] 1-50 of 450284 B 


Total Events 


"| Malicious events SSE SCORE DETAILS REMEDIATION ACTION 
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Remediation Action 
Remediation action for file events 


Remediation action for file events 
You can remediate malicious file events, using the following options: 


- Quarantine File: Using this option, the file is encrypted and then moved to the 
Quarantine folder (C:\ProgramData\Qualys\QualysAgent\Quarantine\) on your asset. The 
Quarantine folder is automatically created once you upgrade to agent 4.0 and above. You 
can undo this action and restore the file to its original position using the UnQuarantine 
option from the User Activity tab. For more information, see UnQuarantine File. 


- Delete File: Using this option, the file is permanently deleted from your asset. You 
cannot undo this action. 
To perform remediation action on file events: 


1) Select the required file event and from the Remediation Action column, click 
Quarantine File or Delete File from the drop-down list. 


Note: You can also perform the remediation action from the Event Details page. 


Endpoint Detection and Response DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES 


Hunting Current View STETIT 


8.42K 


Total Events 


28 Sep 


TYPE Y Filters v 1-50 of 8417 

file 152 

mutex 42 

network 36 B 2 n p 

š an hour ago EB Suspicious file C:\Users\Administrator\OD_Malwares\OD_downloads.exe is created E osi z Generic — (Gaara 

process 8.19K Saee i oan juarantine File 

EVENT ACTION an hour ago E] Suspicious file C:\Users\Administrator\OD_Malwares\OD_UW-2_SUSPICIOUS.exe is created ES apa z Generic ( DESI 

NUM Aa 9:30:33 PM 101 Trojan " 

Rascal EJ an hour ago E] ^ Suspicious file C:\Users\Administrator\OD_Malwares\OD_AM2_SUSPICIOUS.exe is created EE pas Generic = 

listening 6 3: s ie (. Quarantine File X 
g 9:30:32 PM 1011 rojan 1 

rename iz 


2) Based on your selection (Quarantine File/Delete File), one of the following window is 
displayed. Enter the required comment and click Execute Action. 


Quarantine File Delete File 
This response and other actions will be executed on the following events and hosts. This response and other actions will be executed on the following events and hosts. 

[s] OD downloads.exe Generic QBA [si OD downloads.exe Generic QBA: 

CAUsers\Administrator\OD_Malwares Trojan 10.1 CA\Users\Administrator\OD_Malwares Trojan 10.11 

Comments * Comments * 

Quarantine the file. Delete the file 

235/255 240/25 
= E 


3) A pop-up message indicating the status of submission request is displayed on the 
screen. You can click View Request Status from the pop-up message, to view the status (In 
Progress, Success, Failed) of the remediation request on the User Activity tab. 
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Remediation Action 
Remediation action for file events 


Alternatively, you can also view the status for the remediation request from the 
Remediation Action column on the Hunting tab. 


Endpoint Detection and Response + 


8.42K 


Total Events 


TYPE 

file 152 
mutex 42 
network 36 
process 819K 
EVENT ACTION 

created 127 


DASHBOARD INCIDENTS 


uarantine File request sent successfully. 


HUNTING ASSETS e | 


2500 


Y Filters v ] 


an hour ago 


9:30:33 PM 


an hour ago 
9:30:33 PM 


1-50 of 8417 kz 
TPE Bm ASSET SCORE DETAILS REMEDIATION ACTION 
Suspicious file G:\Users\Administrator\OD_Malwares\OD_downloads.exe is created HE ope Generic Quarantine File: 
10.115.121.213 Trojan 
E] Suspicious file C:\Users\Administrator\OD_Malwares\OD_UW-2_SUSPICIOUS.exe is created HE ase Generic 
10115121218 s Trojan Donee 


Responses 


84 


Total User Activities 


RESPONSE 
delete file. 
kill process 


Endpoint Detection and Response ~ 


Q Search for user activities.. 


DASHBOARD INCIDENTS 


Activity Rule Manager Actions 


pe 
© 
K 


HUNTING ASSETS RESPONSES 


@ Last30Days wv = 


[ ¥ Filters v ] 1-50 of 84 ü 
REQUESTED ACTIVITY v OBIECT ASSET USER ‘STATUS. 
Quarantine File OD. downloads.exe HE asas ——— Success = 
| Oct 1, 2020 10:44 PM C:\Users\Administrator\OD_Malwares 1011€ UrQuarantine. 
Quarantine File SARS321.exe EE oag —— Success 
Oct 1, 2020 05:15 PM C:\Users\Administrator\Desktop\Test321 10.11 UnQuarantine 
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Remediation Action 
Remediation action for Process, Mutex, Network events 


Remediation action for Process, Mutex, Network events 


For process, mutex, and network events, we provide Kill Process remediation action. When 
you perform the Kill Process action for mutex or network events, it kills the corresponding 
parent process. 


1) Select the required event from the Hunting tab and from the Remediation Action 
column, select Kill Process. 


Note: You can also perform the remediation action from the Event Details page. 


Endpoint Detection and Response DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES 20m 


Hunting Current View Mech Ze 


Last30Days v 


8.42K 


Total Events 


TYPE Y Fitters v 1-50 of 8416 
file 151 
mutex 42 
nee s 7 hours ago # Malicious process chrome.exe is executed by explorer.exe EE wini testomal — 4/7 — —— — — —5 = 
process 8.19K $ S 8 ( Kill Process } 
3:44:13 PM tesHtype - 
EVENT ACTION 8 hours ago B Malicious file C:\Program Files\Google\Chrome\Application\chrome.exe is created E as 3 test-mal ( NIS 
created cm 2:56:52 PM testtype 
established 30 4 - inis " < 
9 hours ago E Malicious file C:\Users\Administrator\Downloads\DB. Browser for. SQLite-3.12.0-win64\DB Br.. E on sus-mal 
listening 6 c ERE 2 a fe ) 
2 testtype 
rename - 
running 8.23K 9 hours ago Malicious process DB Browser for SQLite.exe is executed by explorer.exe 
1 more 2:41:37 PM 


2) The Kill Process screen is displayed. Under Related Events column, you can see the 
related file, network, and mutex events. Use the arrow button next to the Score column to 
view the list of related events. 


Note: We display up to 50 related events. 


If the event has related files, you can choose to Quarantine file, Delete files or perform no 
action by selecting None. 


3) Enter the comment and click Execute Action. 


Kill Process 


This response and other actions will be executed on the following events and hosts. 


v [3] DB Browser for SQLite... sus-mal 10452 Qi B 


E FILE DB Browser for SQLite.exe 


Other Available Actions For Related File Events 


None — 8 Quarantine File Delete File 


Comments * 


Kill Process and quarantine file. 


a 
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Remediation Action 
Remediation action for Process, Mutex, Network events 


4) A pop-up message indicating the status of submission request is displayed on the 
Screen. You can click View Request Status from the pop-up message, to view the status (In 
Progress, Success, Failed) of the remediation request on the User Activity tab. 


Alternatively, you can also view the status for the remediation request from the 
Remediation Action column on the Hunting tab. 


Hunting 


8.42K 


Total Events 


process 


EVENT ACTION 


Endpoint Detection and Response ~ 


DASHBOARD INCIDENTS HUNTING ASSETS 


RESPONSES 


Last30 Days v 


Z5ep asep Sep mm 10Sep 125ep m Ex 105p pr Sep 255ep P Xie —— 104 
Y Filters v | 1-50 of 8415 a w 
DETECTED v EVENT ASSET SCORE DETAILS REMEDIATION ACTION 
9 hours ago Ej Malicious file :\Users\Administrator\Downloads\DB.Browser.for.SQLite-3.12.0-win64\DB Br.. E ab =] sus-mel Quarantine File: in Progress 


2:41:57 PM 


testtype 


9 hours ago Malicious process DB Browser for SQLite.exe is executed by explorer.exe sus-mal Kill Process: 
created 125 2:41:37 PM test-type 
established 30 — - 
KER 9 hours ago Ej Malicious file C:\Users\Administrator\Desktop\AJSR\AM2,MALICIOUS.exe is written by explo... EE os Generic 7 
listening = M g (Quarantine File | v 
rename 2 239:55PM = Trojan 


DASHBOARD INCIDENTS HUNTING ASSETS 


Endpoint Detection and Response ~ RESPONSES 


Responses User Activity [MCI STE A E 


Q Search for user activities... e Last30Days v 


87 


Total User Activities 


| Y Filters v | 1-50 0f 87 B 


REQUESTED ACTIVITY v 


Kill Process 
Oct 1, 2020 11:32 PM. 


DB Browser for SQLite.exe 
C:\Users\Administrator\Downloads\DB. Browser for SQLite-3.12.0-win64\DB Browser for SQLite\DB Browser f. 


22 


Remediation Action 
User Activity 


User Activity 


The User Activity page lists all the remediation activities performed on the events, with 
the following details: 


TD 


The requested remediation action along with the date and time. 


- The object (file/process) and the asset on which the action is performed. 


TD 


- The user who performed the remediation action. 


- The current status of the remediation action. 


Endpoint Detection and Response DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES ^ CONFIGURATION 


Responses 


ty RuleManager Actions 


Last30 Days v| = 


209 Filters 1-50 of 209 


Total User Activities 


UnQuarantine File file-sample 100kB.. BE Win10-10C20 Success 


AM 


C:\Users\Administrator 


RESPONSE 

delete file u Quarantine File file-sample_100kB.... EE Win10-10C20 © By User [o Success 

kill process. 60 May 12, 2021 04:38 AM C:\Users\Administrator. UnQuarantine 

ntine fil 101 

Vesp pies UnQuarantine File file-sample 100kB.. EE Win10-10C20 © suse ua Success } 

unquarantine file 34 FER iA H 
May 12, 2021 04:21 AM CAUsers Administrator. f 

STATUS UnQuarantine File MSDhoni.php E? winto-1oc20 © Byuser Success { 

aed e May 12,2021 04:19 AM CAUsers\Administrator. i 

aii A ee m 


For additional information about the remediation action, click on the remediation action 
from the Requested Activity column. 


Quarantine File 


This remediation action is successfully executed. Refer to the following details. 


test-knowntomal 


May 12, 2021 04:38 AM Path 


May 12, 2021 04:38 AM 


Ok 


file-sample. 100kB.docx [s] 
Action Status: Success Score 
File Details 
Object file-sample_100k8.docx EE winto10¢20 


10.115.109.87 


CAUsers\Administrator\Documents\ 
Test\Pe NonPE Files\Pe NonPE Files\Office F 


iles 


1234 
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Remediation Action 
User Activity 


UnQuarantine File 
This option allows you to restore the quarantine file back to its original position. 
1) Click Responses > User Activity. 


2) From the list, select a quarantine file event and from the Status column, click Release. 


Endpoint Detection and Response DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES ^ CONFIGURATION 


Responses User Activity PCO MOD S ty 


Last30Days v = 


209 


1-50 of 209 
Total User Activities 


^ Quarantine File Wi T Success 
RESPONSE May 12, 21 UnQuarantine 
delete file UnQuarantine File 
kill process May 12,2021 0421 AM $ 
uu 101 — - - j 
MENSEM — UnQuarntine File MSDhoniphp  . Ri Winto-ioc20  . O0 gue B Eu RÀ 


3) The UnQuarantine File window is displayed. Enter the required comment and click 
Execute Action. 


UnQuarantine File 


This response and other actions will be executed on the following events and hosts. 


Win10-I0C20 


Pe NonPE Files VF 


4) You can track the progress of the action from the User Activity tab. 
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Remediation Action 
User Activity 


Retry Option 
This option allows you to retry the remediation action on failed events. 


1) Select the Failed remediation event and click Retry from the Status column. 


Endpoint Detection and Response + DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES CONFIGURATION 


Responses User Activity SENSO ET ame CL 


Q J o Last 30 Days v 


209 


Total User Activities 


V Filters v 1-50 of 209 B 
REQUESTED ACTIVITY + 
Kill Process procexp.exe 


May 12, 2021 04:01 AM CAUsers\Administrator_ 


2) You will be redirected to the Hunting tab. From the Remediation Action column, select 
the required option from the drop-down list. 


Endpoint Detection and Response - DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES ^ CONFIGURATION 


de 
eo 
ig 


Hunting Current View METSOLTAVEMI 


X event.id:RTF.61848868-3e88-407c-8f9c-d55a5466c3e8. 6259934621631185499 


Total Event i 


Apr — TéApr — 18Apr — 20Ap — 22Ap  24Apr  26Ap — 28Ap— 30Ap  2May — 4Mey — 6Mey — 8May 10May 12 May. 


NO REMAINING FILTERS. Y Filters v p" 


UID v V A R DETAIL REMEDIATION ACTION 


12hours ago E Suspicious file C:\Users\Administrator\Deskt_ EE H 5 Generic Qn |7) 


1:57:56 AM Trojan 


Quarantine File: Failed 
May 12, 2021 01:59 AM 
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Remediation Action 
Event Details 


Event Details 


The Event Details page lists all the information about the events. To view the Event Details 
page, click Quick Actions » Event Details. 


Endpoint Detection and Response DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES 20 


Hunting Current View BECA IEN 


Last7 Days v 


18 


Total Events 


1200 PM 27 Sep 200 PM 28 Sep 1200 PM 29 Sep 2:00 PM 20 Sep 1200 PM 102 1200 PM 20st Tz00PM 302 
SCORE V Filters v 1-18 of 18 
9 16 
6 2 
aday ago Malicious process chron’ is executed by chrome.exe EE qat-w7- 5 testmal | "Ue 
23955 PM - testtype iliam 
2 days ago # Malicious process OneDrive.exe is executed by explorer.exe P EZ DESKTO| - [y] testmal mer 
12:10:17 AM Quick Actions w E: E ee ss 
2days ago # Malicious process chron is executed by chrome.exe EE quoe. fg] test-mal =; es y 
50722 PM = —  testype ped 
Asset Details 
2 days ago $ Malicious process chrom! is executed by chrome.exe EE qat-w7 - 7]  test-mal "m S 
5:06:45 PM = testtype cus / 


From the Event Details page, you can perform the remediation actions (Quarantine File/ 
Delete File/ Kill Process) on File, Mutex, Network, and Process events. For more 
information on remediation action, see Remediation action for file events and 
Remediation action for Process, Mutex, Network events. 


MITRE ATT&CK Tactics and Techniques 


MITRE ATT&CK defines the tactics, techniques, and procedures that are leveraged by 
adversaries and malware. EDR helps detect malicious behavior on the endpoint by 
evaluating the events in context with MITRE ATT&CK. 


Events registered on the agents are analyzed, and appropriate ATT&CK tactics and 
techniques are applied on the Event Details page. 


I< Event Detailsichrome.exe 


Summary Asset Details 


HE wonzogass 
D comen BE codo 


4b7923ce268d -4527494944715681315. 22228 


PROCESS 


MITRE ATT&CK Technique/s 


[nse Abuse Elevation Conta Mechanism 


MITRE ATT&CK Tactic/s 


6)\Google\Chrome\Apalication\chrome.exe 


iSsMdmnstrator 
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Remediation Action 
Event Details 


Non-Portable Executable Files 


All the detected non-Portable Executable (non-PE) files are listed in the Current View of 
the Hunting tab. Navigate to a non-pe file and in the event details section you can view the 
details of the file as well as Parent Process and Process Tree details. 


For example if it is a .pptx file, you will view the following details in your event details 
Summary: 


€— Event Details:Introduction to cloud.pptx 


VIEW MODE 


Summary Asset Details 
= Introduction to cloud ppt B owinio-98-91 
P| Patte cAusers\administratort [| swndons 


Identification 
DNS Hostname — WIN10-98-91 
ee m AMT FODN WiN10-98-91. WORKGROUP 
WRITE a nud Pya 10.115.98.91 
Name Fie Size Pwe S 
No Introduction to cloud.pptx 971.11 KB : 
Asset ID 2170280 


rested On Modified On ccessed On 
Apr 12,2021 11:34 PM Apr 13, 2021 12:04 AM Apr 13,2021 12:14 AM 


Activity 
m Last Modifed By Creating Application 

Microsoft Office PowerPoint owes 
TW 


tle Pages 
troduction to cloud 7 


o. Apr 29,2021 11:27 PM. 


Mai 24,2021 02:56 AM 

Path Ful Path NDS 

CAUsersVAdministratorV CAUsers Administrator! 9ce94e23857[274245e74d G Last Checked In 
\Introduction to cloud pptx bf317601¢0 


Apr 30,2021 03:12 PM 


SHAZ56 Location 
d1750735d827668572653491c0761acfcc5a3c43ac4404decfb054e3e29370c5 G Bvrustotal (2 


View Process Tree for Events 


Click Event Details » Process Tree tab, to view the process tree for File, Process, Mutex, 
Registry, and Network events. The process tree displays all the related events of the 
selected event. 


Process type event - shows its parent and child processes along with the mutex and 
network connection of the process 


Network type event - shows network connection of a process 
Mutex type event - shows mutex connection of a process 


In the process tree view, the selected event node is highlighted with the blue color. You can 
traverse between the nodes by clicking a node in the hierarchy. You can click on the (4) 
and (-) to expand and collapse the tree nodes and display the related events. 


You can click on the event node to view the details of the selected node in the right pane. 


To help you identify event types of nodes in a hierarchy view, similar events are grouped 
under an event type (example: Mutex or Network) and respective event icons are added 
against the node. 
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Remediation Action 
Event Details 


Process tree view displays a zoom bar and reset option.. 


€— Event Details:DB Browser for Si 


VIEW NODE 


Summary. 
Image 
Certficate 


Loaded Modules 


Process Tree 


a DBBrowse’ — mu 


+ e— — C -==> Reset Option 


^ 
I 
1 


Zoom in and 
out 


Group similar events 


© s e O roms ie 


A Mtoe Detection 
High confidence finding investigate and take action to. 


PROCESS DETAILS a 


Information about the 


----— 
selected event. e 


DBBrowse | 


Event 


D RTP_1b52932d-0b51-449f-a8b5-601 1fad j5 
41141817652 


Event Collected D.. Oct 29,2020 04:24 PM 


m ea] object ype PROCESS 

1 O Free 1 © 

1 7 Process 

V H State RUNNING 
Expand and Collapse 

option. y Name DB Browser for SQLite.exe 
3 Selected event 
Full Path 


C:\Users\TestEDR\Downloads\Qualys_Agent dataVSQ _ 
LiteDatabaseBrowserPortable Aor r 
owser64\DB Browser for SQLite.exe. 
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Customizable Dynamic Dashboards 


Customizable Dynamic Dashboards 


Dashboards help you visualize your assets, see your threat exposure, leverage saved 
searches, and remediate priority of malicious/suspicious events quickly. 


We have integrated Unified Dashboard (UD) with EDR. UD brings information from all 
Qualys applications into a single place for visualization. UD provides a powerful new 
dashboarding framework along with platform service that will be consumed and used by 
all other products to enhance the existing dashboard capabilities. 


You can use the default EDR dashboard provided by Qualys or easily configure widgets to 
pull information from other modules/applications and add them to your dashboard. You 
can also add as many dashboards as you like to customize your vulnerability posture view. 


For more information on Unified Dashboards, refer Online Help. 
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Alerts, Rules, and Actions 
Roles and Permissions 


Alerts, Rules, and Actions 


Roles and Permissions 


You can create users and then assign a role to them to grant access as per the role you 
define. Depending on the roles and permissions assigned, the user can perform actions 
like creating, editing, or deleting rules and actions. 


The Administration module is used to create EDR users and assign roles and permissions. 
We have provided some pre-created user roles for EDR. Depending on the role, you get the 
associated set of permissions. 


Note: Users created before EDR version 1.1.0 will continue to have the same permissions. 


--Manager- A user with the Manager role is considered a super-user and has all the 
available permissions. They have full privileges and access to all modules in the 
subscription. Only users with the Manager role can create other users and assign roles. 


--EDR User: By default, the EDR role have EDR UI Access permissions only. So, the user can 
only see the User Activity tab under Responses.. 


Role Edit: EDR User 


Responses 
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Alerts, Rules, and Actions 
Roles and Permissions 


--EDR Analyst: By default, the EDR Analyst role has EDR UI Access permissions and 
Alerting Permissions. 


Role Edit: EDR Analyst 


Edit Mode 


Role Details 


Edit permissions for this role 


| eon | Endpoint Detection and Response 


Y Alerting Permissions (7 of 7) 
Alerting Access 
Create, Edit, Delete your own Action 
Edit any Action 
Delete any Action 
Create, Edit, Delete your own Rule 
Edit any Rule 


Delete any Rule 


Y EDR Permissions (1 of 1) 
EDR UI Access 
* Response Action Permissions (0 of 4) 
C) kill Process 
C Quarantine File 
C unQuarantine File 


C Delete File 


Tum help tips: On 


Remove 


--EDR Incident Responder and EDR Manager: By default, these roles have EDR UI Access 
permissions, Alerting Permissions, and Response Action Permissions. 


Note: The Manager user can customize the permissions for all the EDR roles. 


The default permissions EDR Manager role: 


Role Edit: EDR Manager 


Edit Mode 


Role Details 


Edit permissions for this role 


[39]: M) Endpoint Detection and Response 


Y Alerting Permissions (7 of 7) 
Alerting Access 
Create, Edit, Delete your own Action 
Edit any Action 
Delete any Action 
Create, Edit, Delete your own Rule 


Edit any Rule 


Delete any Rule 


Y EDR Permissions (1 of 1) 
EDR UI Access 
Y Response Action Permissions (4 of 4) 
Kill Process 
Quarantine File 
UnQuarantine File 


Delete File 


Tum help tips: 
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Alerts, Rules, and Actions 
Configure Rule Based Alerts for Events 


Configure Rule Based Alerts for Events 


You can configure EDR to monitor events that satisfy the conditions specified in a rule 
and send you alerts if events matching the condition is detected. For EDR to send alerts, 
you need to first configure a rule action to specify what action to be taken when events 
matching a condition is detected. EDR will use the rule action settings to send you the 
alerts. Finally, create a rule to specify the conditions for triggering the rule and select rule 
actions for sending the alert when a rule is triggered. 


Create a New Action 


To create an action, go to Responses » Actions » New Action. 
| Endpoint Detection and Response DASHBOARD INCIDENTS HUNTING asses [RESPONSES] 20x] 


Responses User Activity Activity Rule Manager 


= 15 actions 


1-15of 15 


s 24,2020252PM ^ 
qemail 0 1 september 24, 2020 2:52 PM 


gemail 2 1 September 16, 2020 4:21 PM 


Provide required details in the respective sections to create a new action: 


- In the Basic Information section, provide name and description of the action in the 
Action Name and Description fields respectively. 


- Select an action from the Select Action drop-down and provide the settings for 
configuring the messaging system that EDR will use to send alerts. 


- We support these three actions: Send Email (Via Qualys), Post to Slack, or Send to Pager 
Duty for alerts. 


- Select Send Email (Via Qualys) to receive email alerts and specify the recipients’ email ID 
who will receive the alerts, subject of the alert message and the customized alert message. 


- Select “Send to PagerDuty” to send alerts to your PagerDuty account. Provide the service 
key that EDR will require to connect to your PagerDuty account. In Default Message 
Settings, specify the subject and the customized alert message. 


- Select Post to Slack to send messages to your Slack channel. Provide the webhook URL to 
post messages from Qualys into Slack. Also, provide the channel and alert message that 
should be posted by default. 
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Alerts, Rules, and Actions 
Create a New Rule 


€— Create New: Action 


Basic Information 


Action Name * 


Log events action 


Description * 
This action will record all events on log files. 


Select Action * 


Send Email(Via Qualys) Y 


Default Message Settings 
You can add default recipients or edit the default message to be sent 


Recipients * 


jdoe@qualys.com 


Subject Line * 


Events on log files 


Message * 


| This message is sent for all log events] 


40/5000 


Cancel EH 


Create a New Rule 


To create a rule, go to Responses » Rule Manager » New Rule. You can also create rules 
from the customized queries that are used for widgets on your dashboard. Select the 
Widget menu and choose "Create Rule from this Widget". This option is also available on 
the Hunting page. Go to the Hunting tab, select an event filter in the left pane or type a 
search query in the search bar. Click actions menu = on the right of the search bar and 
select "Create Alert Rule From Search Query” from the menu. 


Endpoint Detection and Response ~ DASHBOARD INCIDENTS HUNTING ASSETS (sumens 2095 
Responses User Activity Activity Actions 
Q search for rules... elZ NA 
D emnt oer 
RULENANE + TRIGGER CRITERI AGGREGATE ACTION LASTTRIGGERE TATE CREATED ON 
Rule 25 Single Match - ‘Action uw 1 September 25,2020 Disabled ‘September 25, 2020 12:23PM * 
Rule25 12:23 PM 
Rule uw 1 Single Match - Action uw 1 September 29,2020 Enabled September 16, 2020 424 PM 
Ruleuw 1 10:15PM 
Rule uw 2 Single Match E Action uw 2 September 23,2020 Disabled September 16, 2020 4:25 PM 
Ruleuw 2 6:05 PM 
Rule uw 2_copy Single Match - Action uw 2 September 29,2020 Enabled September 25, 2020 6:18 PM 
Ruleuw2 10:15PM à 


Provide required details in the respective sections to create a new rule: 


33 


Alerts, Rules, and Actions 
Create a New Rule 


- In the Rule Information section, provide a name and description of the new rule in the 
Rule Name and Description. 


- In the Rule Query section, specify a query for the rule. The system uses this query to 
search for events. Use the Test Query button to test your query. Click Sample Queries link 
to select from predefined queries. 


- You can choose from three trigger criteria that work in conjunction with the rule query. 
The trigger criteria are: Single Match, Time-Window Count Match and Time-Window 
Scheduled Match. 


- In the Action Settings section choose the actions that you want the system to perform 
when an alert is triggered. 


< Create New: Rule 


Rule Details 


Provide the following information to create the rule 


Rule Information 


Rule Name * 


Rule for score indicator 


Description * 


This rule will list all score between 8 to 10. 


Rule Query 
Provide a query to match particular source that will trigger the alert 


Rule Query * 


indicator .score:[8,9,10] 
— 


Trigger Criteria 


Provide the match criteria 
Trigger Criteria * 


Single Match 


Action Settings 
Choose an appropriate alert action 
Actions * 


pageri 
pager-1 


Description * 
Pager alert from POD1 
Message * 
Insert token Y 


{*key":"value"} 


15/5000 
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Alerts, Rules, and Actions 
Create a New Rule 


Trigger Criteria 


- Select Single Match if you want the system to generate an alert each time the system 
detects an event matching your search query. 


- Select Time-Window Count Match when you want to generate alerts based on the 
number of events returned by the search query in a fixed time interval. For example, an 
alert will be sent when three matching events are found within 15 mins window. 


Trigger Criteria 
Provide the match criteria 
Trigger Criteria * 


Time-Window Count Match 


Time-Window Count Match 


No Of Matching Events * In* 


3 15 Mins 


Aggregate Alerts Aggregate Group 


Yes Action 


- Select Time-Window Scheduled Match when you want to generate alerts for matching 
events that occurred during a scheduled time. The rule will be triggered only when an 
event matching your search criteria is found during the time specified in the schedule. 
Choose a date and time range for creating a schedule and specify how often you want to 
run the schedule for example, daily, weekly and monthly. For example, send daily alerts 
with all matches in a scheduled window between 4 pm and 5 pm. 


Trigger Criteria 
Provide the match criteria 
Trigger Criteria * 


Time-Window Scheduled Match 


Time-Window Schedule Match 


Time Window Starts on Start Time 


07/20/2020 =] 2:26pm 


Time Window Ends On End Time 


07/20/2020 E 3:26pm 


Duration 


Repeats 


Daily 


Summary: Repeats everyday from 02:26 pm to 03:26 pm (1 Hour) 


Aggregate Alerts Aggregate Group 


Yes Action 
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Alerts, Rules, and Actions 
Manage Actions 


For the Weekly option, select the days of the week on which schedule will run. For 
example, send weekly alerts with all matches generated between 4.56 pm and 5.56 pm on 
every Monday and Wednesday. 


€— Create New: Rule 


Repeats 


Weekly M 


On Day Of The Week 


s| MM OT Mw) OT OF s 


Summary: Repeats monday from 04:56 pm to 05:56 pm (1.00 hours) 


For the Monthly option, specify the day of the month on which the schedule will run. For 
example, send monthly alerts on the first day of every month. 


€ Create New: Rule 


Repeats 


| Monthly 


Recurring Day 


1 M day of the month 


Summary: Repeats every 1st day of the month from 04:56 pm to 05:56 pm (1.00 hours) 


Aggregate Alerts Aggregate Group 


Yes v | Action 


For "Time-Window Count Match" and “Time-Window Scheduled Match”, you have the 
option to aggregate the alerts by aggregate groups such as based on action, asset 
hostname and so on. 


Manage Actions 


View the newly created actions in the Actions tab with the details such as name of the 
action, type of the action, the number of rules for which this action is chosen are active or 
inactive and the user who created the rule. You can use the Actions menu or Quick 
Actions menu to edit, delete and rename an action. Use the search bar to search for 
actions using the search tokens. 


Endpoint Detection and Response ~ DASHBOARD INCIDENTS HUNTING ASSETS = 


De 
o 
[<] 


Responses User Activity Activity Rule Manager 


Q search for actions... @ 


15 actions 


= | Actions) v New Action 1-150f 15 
ACTION NAME 4 TYPE ACTIVE RULES DISABLED RULES CREATED ON 
Miss 1 ANGE qemail 2 1 September 16,2020421 PM. 4 
Action uw 2 View gemail 1 1 September 16, 2020 4.22 PM 
action uw 
Edit 
AlertSanityRequestedByAlertTeam ay email 1 0 October 6, 2020 2:02 PM 
jid Save As 
Delete OD slack 0 0 September 30, 2020 7:03 PM 


Test 


36 


Alerts, Rules, and Actions 
Manage Rules 


Manage Rules 


Rule Manager tab lists all the rules that you have created with rule name, trigger criteria 
selected for the rule, alert message aggregating enabled or disabled for the rule, action 
chosen for the rule, date and time when the rule is last triggered and state of the rule, 
whether the rule is enabled or disabled and created date and time of the rule. 


You can use the Actions menu or Quick Actions menu to edit, enable, disable, delete and 
rename a rule. Use the search bar to search for rules using the search tokens. 


DASHBOARD INCIDENTS HUNTING ASSETS 


Endpoint Detection and Response 


Responses User Activity Activity Actions 
Q search for rules... = 14 nues 
= ESSEN -taor 14 

Fal Remediation Status Single Match z Email Action September 25, 2020 Enabled September 7, 2020 8:20 PM = 
vihvd Quick Actions v 5:36 PM Anurag Mishra 
Rule 25 Single Match - Action uw 1 September 25, 2020 abled September 25, 2020 12:23 PM 
Rule25 12:23 PM akshay kadam 
Rule uw 1 Single Match Action uw 1 Sepiember29,2020 ^ Enabled September 16, 2020 424 PM 
Ruleuw 1 1015PM Umesh Wani 

Disable = 

Rule uw 2 Single Match . Action uw 2 September 23, 2020 ble September 16, 2020 425 PM 
Ruleuw2 Save As 6:05 PM Umesh Wani 
Rule uw 2_copy Single Match E Action uw 2 September 29,2020 ^ Enabled September 25, 2020 618 PM 
Ruleuw2 Show Activity 10:15 PM akshay kadam 
Rule 23 Single Match = Action uw 1 Sepiember 29, 2020 Enabled ‘September 23, 2020 10:47 AM 
Rule 23 10:15PM Anurag Mishra 
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Manage Alerts 


Activity tab lists all the alerts. Here you will see for each alert, rule name, success or 
failure in sending the alert message, aggregate enabled (Yes) or disabled (No) for the rule, 
action chosen for the rule, matches found for the rule and the user who created the rule. 


Search for alerts using our search tokens (1), select a period to view the rules triggered 
during that time frame (2), click any bar to jump to the alerts triggered in a certain 
timeframe (3), use these filters to group the alerts by rule name, action name, email 
recipients and status (4). 


Endpoint Detection and Response DASHBOARD INCIDENTS HUNTING ASSETS 


Responses User Activity Rule Manager Actions 


Q Search for alerts... 


7.89M 


Total Activities 


RULE NAME 1-50 of 7889904 


Test Rule 19K 
Test Rule2 128K 


Rule uw 2 9.48 E FEN Yes Email 1 2 
xcd EE Rule uw2 7 days ago 
10 more 
Test Rule. Success Yes Email 1 
ACTION NAME © Test Rule 7 days ago 
Email 7.87M 
Action uw 2 10.9K Remediation Status Success ee usd 3 
Action uw 1 7.65k vwa 7 days ago 
Email Action 141 
QEmail-0200202 8 nue dg Success Yes Email 1 


7 days ago 
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Malware Protection 


Malware Protection 


Qualys Multi-Vector EDR now includes integrated antimalware detection capabilities, 
providing additional real-time protection against the latest threats. The new release 
expedites the inevitable convergence of Malware Protection Products with Endpoint 
Detection & Response (EDR) to deliver comprehensive protection against known and 
unknown threats. 


Easily enabled on any endpoint where the Qualys Cloud Agent is installed, the new release 
of Qualys Multi-Vector EDR can be fully managed remotely on any endpoint with internet 
connectivity. No need for a VPN or any other network change. Once deployed, the new 
anti-malware component protects you against all kinds of malware (such as viruses, 
Spyware and trojans, ransomware), network attacks, and phishing. Details of actions 
taken and information about program operation are available in the Qualys cloud-based 
console. 


Key Capabilities 


- On-access protection: prevents new malware threats from entering the system by 
scanning local and network files when they are accessed (opened, moved, copied or 
executed), boot sectors, and potentially unwanted applications (PUA). 


- On-demand scanning: scans the file system and memory for malware and other threats 
and takes remediation actions 


- Advanced Protections: Continuously monitors applications running on the endpoint for 
malware-like actions and automatically disinfects the detected file. In addition, Qualys 
Malware Protection can expose advanced attacks and suspicious activities in the pre- 
execution stage. This layer of security contains machine learning models and stealth 
attack detection technology 


- Behavioral-based protection: operating on a zero-trust assumption, Qualys Malware 
Protection can monitor active applications and processes for any signs of malicious 
behavior. It relies on actual behavior characteristics instead of signatures or binary or code 
fingerprints. This allows Qualys Malware Protection to consistently detect new 
ransomware variants, other zero-day threats, and file-less attacks 


- Network and Traffic Protection: prevents malware from being downloaded to the 
endpoint by scanning incoming emails and web traffic in real-time. In addition, protect 
against attack techniques used to gain access to specific endpoints, such as brute-force 
attacks, network exploits, and password stealers. 


- Phishing Protection: Automatically block known phishing web pages to prevent users 
from inadvertently disclosing private or confidential information to online fraudsters. 


Malware detection events can be viewed and analyzed from the Qualys Cloud Console, 
allowing customers to enrich malicious events with contextual events collected by Qualys 
EDR. 
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Get Started with Malware Protection 


We'll help you quickly get started with the Malware Protection setup. You will need to 
install the Qualys Cloud Agent in your environment and have an active Endpoint 
Detection and Response (EDR) subscription. 


Step Details 
Setup Cloud Agent Install a Cloud Agent that's been activated for EDR on each asset 
you want to monitor for suspicious activity. 
See 
Enable Malware To start collecting information on your endpoints, you need to install 
Protection on Cloud the Malware Protection on your asset. For that, first, you must enable 
Agent the Malware Protection for the Cloud Agent profile. 
Configuring the AV As the virus definitions are downloaded on the endpoint, the default 
Profile antivirus configurations are also downloaded on this endpoint asset. 
Use the Endpoint In your Qualys EDR module, navigate to the Hunting tab » Historic 
Detection and Response View tab to view the detections done by the Malware Protection. Use 
UI the filter to view only Malware Protection events in your list. 
Monitor Assets You can monitor the detections and the actions performed on those 


detections on your endpoint asset using the Malware Protection and 
the EDR UI. You can view all the files that were terminated or 
quarantined as per the profile you configured. You can also undo 
actions performed on those detections. 


For more information, see the Online help. 
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